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DETAILED ACTION 

Priority 

1 . Acknowledgment is made of applicants claim for foreign priority under 35 
U.S.C. 119(a)-(e). The certified copy has been filed in parent Application No. 
2003112414, filed on 04/17/2003. 

Information Disclosure Statement 

2. For the record, the Examiner acknowledges that the IDS submitted on 
04/14/2004. It has been received and considered. 

Oath/Declaration 

3. For the record, the Examiner acknowledges that the Oath/Declaration submitted 
on 04/14/2004 has been received and considered. 

Drawings 

4. For the record, the Examiner acknowledges that the Drawings submitted on 
04/14/2004 have been received and considered. 

Specification 

5. For the record, the Examiner acknowledges that the Specification submitted on 
04/14/2004 has been received and considered. 
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6. Pursuant to USC 131, claims 1-28 are presented for examination. 

7. Claims 1-28 are pending. 

Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-30 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Douglas et al. (US Patent No. 7,152,242 B2) and further in view of Maier et al. 
(US Patent No. 5,625,815). 

Regarding claims 1,11 aind 21 , Douglas , discloses an IDS log analysis support 
apparatus, method and program comprising: a log collection section that collects 
a log of an intrusion detection system that is connected to a telecommunication 
network (col. 2 lines 17-20 - "host-based [intrusion detection system IDS sensor 
(HIDS)that detects attacks targeted at the host system on which it is installed, 
e.g. on a web server, a domain name server, a mail server, etc."); and a log 
analysis section that obtains statistics of the logs managed by the database and 
analyses the statistics (col. 2 lines 29-35 - "detects attacks by monitoring the 
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output to the system and audit logs"). 



Douglas is silent in disclosing a database that stores and manages logs 
collected by the log collection section, however Maieret al. does disclose 
such a database. It would have been obvious at the time of the invention, 
for one of ordinary skill in the art to modify the host based intrusion 
detection system of Douglas to make use of a database as this is an 
efficient means of managing a large quantities of data, such as intrusion 
detection logs and would benefit the invention by providing state of the art 
data management. 

Regarding claims 2, 12 and 22 , Douglas , discloses the IDS log analysis support 
apparatus, method and program according to claim 1, wherein the log analysis 
section comprises an internal and external similarity analysis device that 
sequentially compares an inward log in the logs, which is a log of accesses made 
from a non-protected subject side of the intrusion detection system to a protected 
subject side of the intrusion detection system, with an outward log in the logs, 
which is a log of accesses made from the protected subject side to the non- 
protected subject side, and sequentially calculates- a degree of similarity that 
shows an extent to which the inward log and the outward log match based on the 
result of the comparison, and determines whether or not an abnormality has 
occurred based on the degree of similarity (col. 2 lines 29-58 - "detects attacks 
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targeted at the host system on which it is installed, e.g. on a web server 1 , a 
domain name server, a mail server etc." and "monitors logs of applications 
running on the host ... monitor system files via its file integrity checking feature 
... notifying the IDS administrator when key system and security files have been 
accessed, modified or even deleted."). 

Regarding claims 3, 13 and 23 . Douglas , does not explicitly disclose the IDS log 
analysis support apparatus according to claim 1, wherein the log analysis section 
comprises an access country analysis device that, taking as a subject to be 
detected a name of a country to which belongs a transmission source of an 
inward log in the logs, which is a log of accesses made from a non-protected 
subject side of the intrusion detection system to a protected subject side of the 
intrusion detection system, allocates a ranking to occurrence frequencies of 
country names, and determines that an abnormality has occurred when there is a 
change in the ranking of the country names that are normally detected, however 
it would have been obvious, to one of ordinary skill in the art, at the time of the 
invention to modify the disclosed "IP Address" of Douglas to be translated / 
traced to the originating country. The benefit of such modification would be to 
extend the usefulness of data that is already being collected by the invention to 
provide more information of the source of an attack (Rejected under the same 
rationale as claims 2, 12, 22, column 13 lines 51-67 and column 14 lines 1-10). 
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Regarding claims 4. 14 and 24 , Douglas , does not explicitly disclose the IDS log 
analysis support apparatus according to claim 1, wherein the log analysis section 
comprises an access country analysis device that, taking as a subject to be 
detected a name of a country to which belongs a transmission source of an 
inward log in the logs, which is a log of accesses made from a non-protected 
subject side of the intrusion detection system to a protected subject side of the 
intrusion detection system, determines that an abnormality has occurred when 
there is an increase in the occurrence frequency of a country name that is not 
normally detected, however it would have been obvious, to one of ordinary skill in 
the art, at the time of the invention to modify the disclosed "IP Address" of 
Douglas to be translated / traced to the originating country. The benefit of such 
modification would be to extend the usefulness of data that is already being 
collected by the invention to provide more information of the source of an attack 
(Rejected under the same rationale as claims 2, 12, 22, col. 13 lines 51-67 and 
col. 14 lines 1-10). 

Regarding claims 5, 15 and 25 , Douglas , does not explicitly disclose the IDS log 
analysis support apparatus according to claim 1, wherein the log analysis section 
comprises an access country analysis device that, taking as a subject to be 
detected a name of a country to which belongs a transmission destination of an 
outward log in the logs, which is a log of accesses made from a protected subject 
side of the intrusion detection system to a non-protected subject side of the 
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intrusion detection system, allocates a ranking to occurrence frequencies of 
country names, and determines that an abnormality has occurred when there is a 
change in the ranking of the country names that are normally detected, however 
it would have been obvious, to one of ordinary skill in the art, at the time of the 
invention to modify the disclosed "IP Address" of Douglas to be translated / 
traced to the originating country. The benefit of such modification would be to 
extend the usefulness of data that is already being collected by the invention to 
provide more information of the source of an attack (Rejected under the same 
rationale as claims 2, 12, 22, col. 13 lines 51-67 and col. 14 lines 1-10). 

Regarding claims 6, 16 and 26 , Douglas , discloses IDS log analysis support 
apparatus according to claim 1, wherein the log analysis section comprises an 
access country analysis device that, taking as a subject to be detected a name of 
a country to which belongs a transmission destination of an outward log, which is 
a log of accesses made from a protected subject side of the intrusion detection 
system to a non-protected subject side of the intrusion detection system that are 
in the logs, determines that an abnormality has occurred when there is an 
increase in the occurrence frequency of a country name that is not normally 
detected, however it would have been obvious, to one of ordinary skill in the art, 
at the time of the invention to modify the disclosed "IP Address" of Douglas to be 
translated / traced to the originating country. The benefit of such modification 
would be to extend the usefulness of data that is already being collected by the 
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invention to provide more information of the source of an attack (Rejected under 
the same rationale as claims 2, 12, 22, col. 13 lines 51-67 and col. 14 lines 1-10). 

Regarding claims 7. 17 and 27 . Douglas , discloses the IDS log analysis support 
apparatus according to claim 1, wherein the log analysis section comprises a 
ratio analysis device that compares a short term number of events, which is the 
number of a predetermined event contained in a predetermined unit time period 
in the logs, with an average value of a short term number of events for a plurality 
of the unit time periods, and determines whether or not an abnormality has 
occurred based on a ratio of the short term number of events relative to the 
average value (col. 4 lines 61-67 and col. 5 lines 1-8 - "when a configured time 
interval elapses, a new instance of the EDE module is then started providing the 
previous instance has terminated"). 

Regarding claims 8. 18 and 28 . Douglas , Is silent in disclosing the IDS log 
analysis support apparatus according to claim 1 , wherein the log analysis section 
comprises a threshold learning device that calculates a short term number of 
events, which is the number of a predetermined event contained in a 
predetermined unit time period in the logs, and an average value of a short term 
number of events for a plurality of the unit time periods, and a standard deviation 
value of a short term number of events for a plurality of the unit time periods, and 
determines whether or not an abnormality has occurred using a result obtained 
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by dividing a difference between the short term number of events of a subject 
being investigated and the average value by the standard deviation value, 
however it would have been obvious, to one of ordinary skill in the art, at the time 
of the invention to modify the disclosed module callback functionality in which 
modules are started and terminated according to event detections and execute 
for preset time periods (col. 4 lines 61-67 and col. 5 lines 1-8 - "when a 
configured time interval elapses, a new instance of the EDE module is then 
started providing the previous instance has terminated"). 

Regarding claims 9, 19 and 29 . Douglas , discloses the IDS log analysis support 
apparatus according to claim 1 , wherein a plurality of intrusion detection systems 
are connected to the telecommunication network, and the plurality of intrusion 
detection systems each have a different protected subject, and the log analysis 
section comprises an IDS comparison device that compares a monitored profile, 
which is characteristics of logs of a monitored intrusion detection system, which 
is one intrusion detection system from among the plurality of intrusion detection 
systems, with an integrated profile, which is characteristics of logs of all the 
intrusion detection systems other than the monitored intrusion detection system 
from among the plurality of intrusion detection systems, and determines that an 
abnormality has occurred when the difference between the monitored profile and 
the integrated profile is equal to or greater than a predetermined value (col. 4 
lines 31-37 - "scheduled modules (modules that are expected to terminate and 



Application/Control Number: 10/824,823 Page 10 

Art Unit: 2136 

start again at fixed intervals), the AE monitors the schedule and starts these 
modules at the proper time"). 

Regarding claims 10, 20 and 30 , Douglas , discloses the IDS log analysis support 
apparatus according to claim 9, wherein the IDS comparison device comprises a 
variable state comparison device that compares a variable state that 
accompanies an elapsed time of the monitored profile with a variable state that 
accompanies an elapsed time of the integrated profile, and determines that an 
abnormality has occurred when the difference between the variable states is 
equal to or greater than a predetermined value (col. 4 lines 61-67 and col. 5 lines 
1-8 - "when a configured time interval elapses, a new instance of the EDE 
module is then started providing the previous instance has terminated"). 



Conclusion 

9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Chinwendu C. Okoronkwo whose telephone number is 
(571) 272 2662. The examiner can normally be reached on MWF 9:30 - 7:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on (571) 272 4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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